15249 – nfs_serv.c can vput() junk + more

Bug 15249 - nfs_serv.c can vput() junk + more

Summary: nfs_serv.c can vput() junk + more

Status:	Closed FIXED

Alias:	None

Product:	Base System
Classification:	Unclassified
Component:	kern (show other bugs)
Version:	3.3-STABLE
Hardware:	Any Any

Importance:	Normal Affects Only Me
Assignee:	freebsd-bugs (Nobody)

URL:
Keywords:

Depends on:
Blocks:

Reported:	1999-12-03 23:30 UTC by iedowse
Modified:	1999-12-12 07:16 UTC (History)
CC List:	0 users

See Also:

Attachments
file.diff (2.67 KB, patch) 1999-12-03 23:30 UTC, iedowse	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description iedowse 1999-12-03 23:30:01 UTC

	There are a number of places in nfs_serv.c where certain badly-formed
	NFS requests can result in vput() being called on an uninitialised
	vnode pointer. In nfsrv_getattr(), nfsrv_lookup(), nfsrv_read(),
	and nfsrv_writegather(), the exit code performs a vput(vp) if vp
	is non-NULL. However since vp is not initialised before the macro
	nfsm_srvmtofh() is invoked, it is possible for this exit code to
	get called with a junk vp if nfsm_srvmtofh() does a 'goto nfsmout'.

	Another problem that affects even more functions is that on certain
	(mainly kerboros related) errors nfsrv_fhtovp() does not leave NULL
	in its *vpp argument.

	Finally there is a problem in nqnfsrv_getlease() where it is
	possible to get it to vput(NULL).

Fix: Apply the following patches in src/sys/nfs
	
How-To-Repeat: 
	To repeat the first problem, send a truncated request to an NFS
	server where the request ends in the middle of the filehandle.

	I haven't cwtried to trigger the others, but it should be fairly
	easy.

Comment 1 Matt Dillon freebsd_committer

1999-12-12 07:16:23 UTC

State Changed
From-To: open->closed

Patch with minor modifications applied to 4.x, 3.x, and 2.2.x trees.  Nice 
catch Ian!